US6229806B1 - Authentication in a packet data system - Google Patents
Authentication in a packet data system Download PDFInfo
- Publication number
- US6229806B1 US6229806B1 US09/000,645 US64597A US6229806B1 US 6229806 B1 US6229806 B1 US 6229806B1 US 64597 A US64597 A US 64597A US 6229806 B1 US6229806 B1 US 6229806B1
- Authority
- US
- United States
- Prior art keywords
- host
- authentication information
- user device
- data packet
- gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Definitions
- This invention relates to communication systems in which data packets are communicated between a user device and an infrastructure part including a host.
- the invention relates to authentication of communications in such a system, and particularly relates to self-authenticating data packets.
- HLR Home Location Register
- a subscriber typically desires services from the network, he (actually his device) must register onto the network, supplying the ID number and possibly some additional authentication information, such as a password or historical information relating to the subscriber. This information is checked (i.e. authenticated) by the network against the subscriber's record in the HLR. All subsequent services are then billed to the identified subscriber.
- ISP Internet Service Provider
- FIG. 1 shows a data network using self-authenticating data packets in accordance with the present invention.
- FIG. 2 illustrates a self-authenticating data packet as generated in the system of FIG. 1 .
- FIG. 3 illustrates operation of the authentication process in FIG. 1 .
- FIG. 4 illustrates an alternative arrangement for generating a self-authenticating packet in accordance with the invention.
- a data network is shown, which in the preferred embodiment is a radio data network such as a DataTACTM data radio system.
- the system comprises an end user device 10 , which may be mobile, but in the preferred embodiment is a fixed device, such as an alarm monitor or a water, gas or parking meter.
- the system comprises a radio data network 12 , such as the ARDISTM radio data network and it comprises a situation or radio network gateway (RNG) 14 connected to a host 16 .
- the host 16 may, for example, be an alarm monitoring station, or a water or gas meter reading center or a parking meter reading center or other telemetry system host.
- One other host 18 is shown.
- Connectable via a port 20 of the device 10 is a device configurator 22 .
- the device configurator 22 is a general propose computer or handheld dedicated configurator device having an authentication algorithm 24 and having stored in the device a host identifier 26 identifying the application host 16 , a host secret key 28 known only to the operator of the host 16 and the radio network gateway 14 and securely programmed into the device configurator 22 , and a device ID 30 .
- the device ID 30 is preferably a link layer identifier which can be entered into the device configurator 22 and identifies the device 10 .
- the radio network gateway 14 comprises a host information table 40 which correlates host identifiers for the hosts 16 , 18 , etc. with host secret keys and (optionally) session IDs.
- the RNG also includes an authentication algorithm 42 which corresponds to the authentication algorithm 24 in a manner that is described in greater detail below.
- the RNG also comprises a self-authenticating packet receiver 44 , a deliver routine, function or element 46 , a data packet reformatter 48 , billing software 49 (optional) and a registration database 50 (optional).
- the operation of the system is as follows. On commissioning of the device 10 , the device configurator 22 is connected to the device port and the device ID 30 is entered into the device configurator 22 . From the host identifier 26 , the host secret key 28 and the device ID 30 , the authentication algorithm 24 generates authentication information 32 .
- the exact nature of the authentication algorithm 24 is of no significance and many algorithms are available to those skilled in the art. An example is the DataTAC symmetric key algorithm (defined as part of the RD-LAP protocol suite), which is similar to RC4, the latter being an algorithm well-known in the industry.
- the algorithm 24 is such that the key 28 is substantially not recoverable from the authentication information 32 but that the authentication information 32 can only be generated from the host identifier 26 and the device ID 30 if the unique secret key 28 is available. (With sufficient processing power and available time with sufficient data the key 28 is recoverable from the authentication information 32 , but for practical purposes it is not recoverable.)
- a data packet formatter 34 (which is a format data packet process in a processor) formats a self-authenticating packet 35 using the authentication information 32 , together with control information 33 (which preferably includes the device ID 30 ) and a host identifier 36 (which is identical to the host identifier 26 ). These information items are formatted together using the packet data formatter 34 with user data 38 into the self-authenticating packet 35 .
- Such a self-authenticating packet is illustrated in FIG. 2 .
- a packet 100 comprises a packet header 101 , which simply indicates that the packet is generated in accordance with a self-authenticating packet specification (but is not necessarily a self-authenticating packet).
- a packet sub-type 102 is provided, after the header 101 , optionally indicating that the packet is in fact a self-authenticating packet.
- a deregistration delay 104 is inserted, capable setting a deregistration time of between 0 and 255 seconds. Following this is an identifier indicating the authentication algorithm to be used for authenticating the packet. Thus, there may be a number of different authentication algorithms.
- Authentication algorithm field 106 identifies which of a number of algorithms is to be used. The field is set to “one” for DataTAC symmetric key algorithm.
- a destination host ID field 110 This contains the host identifier 36 .
- an authentication information field 112 which contains the authentication information 32 .
- a user data payload 120 Following this field is another field 114 reserved for future use and finally there is a user data payload 120 , which contains the user data 38 .
- the self-authenticating packet 35 is transmitted over the radio data network 12 to the RNG 14 and is received at the self-authenticating packet receiver 44 .
- the host identifier information 36 is extracted from the packet and is used to look up the correct host secret key 28 for the identified host in host information table 40 .
- a session ID is extracted from the table 40 if there is already a session in progress. If there is no session in progress, a session ID is allocated.
- the authentication algorithm 42 is able to independently generate authentication information corresponding to the authentication information 32 contained in field 112 of the packet 100 .
- the RNG is able to compare or correlate the independently generated authentication information with the received authentication information to authenticate the packet. In the simplest form, if there is a match, the packet is authenticated and if there is no match, the packet is discarded into a trash file 45 .
- the authentication process 42 may be some process other than a simple comparison. If the packet is successfully authenticated, it is reformatted in reformatter 48 and delivered in delivery element 46 to the application host 16 .
- the process of authenticating the packet in algorithm 42 in RNG 14 is illustrated in greater detail in FIG. 3 .
- the process starts upon reception of a self-authenticating packet at step 302 .
- the destination host ID is extracted from the packet and a look-up operation into host information table 40 is performed to look up the host's secret password.
- the correct authentication information is computed from the link layer identifier (from the packet) and the secret password extracted from host information table 40 . If, in step 308 , the correct authentication information matches the authentication information in the data packet, the packet is delivered at step 310 to the destination host. Otherwise, the packet is discarded in step 312 . After steps 310 and 312 , the process is completed and stops at step 314 .
- a session is established between the device 10 and the host 16 .
- the authentication of the packet acts to establish automatic registration of the device 10 to the host 16 .
- This feature of registration and sending of data within a single packet is a very useful innovation and improvement over prior arrangements.
- a single packet can perform the functions of registration and communication of data.
- the switch or gateway 14 is tied up for the minimum amount of time necessary for the performance of registration and communication of data.
- a further advantageous feature is the provision of an automatic deregistration after a timeout. This feature is achieved by use of a timer 55 in the gateway 14 and, optionally, the deregistration delay 104 of the packet 100 .
- the registration database 50 is updated by allocation of a session identifier to the particular device identifier by its link layer identifier.
- This session identifier is used for all further communications between the device 10 and the host 16 , either in the device-to-host direction or the host-to-device direction.
- the session identifier is valid for a limited period of time defined by the timer 55 .
- the application host 16 can immediately reply to the incoming data packet.
- Typical replies from the host 16 include: (a) an acknowledgment; and (b) unsolicited update information for the device 10 .
- the device 10 has further packet of data to send, either because the first self-authenticating packet had insufficient space in its payload 120 to provide all the data to the host, or because a message from the host generates a need for further messages from the device 10 , these subsequent packets from the device 10 can be generated within the same session, using the same session identifier and without the need for each subsequent packet to include all the header information necessary for authentication and registration. This leads to greater efficiency.
- the session ID is no longer valid and re-registration by the device 10 is necessary.
- the timer can be set to 0. In such an instance, the session ends as soon as the first self-authenticating packet is delivered to the host. Preferably, however, the timer 55 defines a period sufficient for two or three packets to be transferred between the device 10 and the host 16 before re-registration is necessary.
- the device 10 has a similar timer to indicate when it is necessary to generate another self-authenticating packet to perform re-registration.
- the timer 55 can be reset to the deregistration delay 104 by each packet sent to or from the device 10 . Again, both the device 10 and the RNG 14 must agree on the timeout method (via a protocol) and must use the same method.
- a communication system comprising a user device 10 and an infrastructure part 14 and 16 which together include a host 16 .
- the user device is arranged to generate authentication information 32 unique to the user device and provide a data packet 35 including the authentication information and a host identifier 36 .
- the infrastructure part (which can be the gateway 14 or the host 16 ) is arranged to generate corresponding authentication information using at least the host identifier from the data packet and combining the authentication information from the user device with the corresponding authentication information to identify a correspondence there between and to thereby authenticate the packet.
- the authentication process can take place in the host 16 . This would not be the most efficient arrangement in a system having many hosts but can be more efficient in a highly dedicated system having only one host or having only a small number of hosts.
- An advantage of performing authentication in the gateway 14 is a matter of billing.
- the host 16 is billed for each successfully authenticated packet.
- billing software 49 in the RNG 14 generates a billing item for host 16 each time a packet for that host is authenticated and generates a billing item for host 18 each time a packet for that host is authenticated.
- This has the advantage that the host is not billed for packets that are delivered to the host erroneously or packets that are delivered to the host which are not capable of being authenticated.
- the gateway 14 delivers all packets having a host identifier 36 matching the identifier of the host 16 and in such an arrangement is most convenient to bill the host 16 for all packets delivered, regardless of whether they are later authenticated.
- the user device 10 has arranged to generate authentication information unique to the user device and to provide a data packet including the authentication information, wherein the infrastructure part ( 14 or 16 ) is arranged to generate corresponding authentication information and to combine the authentication information from the user device with the corresponding authentication information to identify a correspondence therebetween, and to thereby authenticate the packet and establish a time-limited session between the user device and the host device.
- FIG. 4 shows a modified user device 200 coupled to the device configurator 22 .
- the modified user device receives authentication information 32 , as before, and includes control information 33 and host identifier 36 , as before.
- the modified user device 200 additionally has a real time clock 202 and a date generator 204 . These elements feed into a second authentication algorithm 210 .
- the second authentication algorithm 210 generates second authentication information at output 212 and this second authentication information is formatted into a data packet together with user data 38 .
- a self-authenticating packet is generated in packet generator 213 for sending over the network as before.
- the radio network gateway has a similar real time clock and date generator and a similar second authentication algorithm for replicating the generation of the information.
- the second authentication algorithm 210 takes into account the current actual time and date.
- the time and date are not recoverable from the resultant authentication information 212 , but the resultant authentication information 212 is not able to be generated without these elements.
- the resultant self-authenticating packet is valid for only a particular time and date.
- the validity preferably extends over a period of time, where the period is sufficiently long in duration to encompass expected delays in the system.
- the packet is received at the radio network gateway 14 , it is not invalid by virtue of lapse of time through mere propagation through the radio data network 12 . All authentication information results for clock times in the allowed range are compared with the received authentication information.
- An advantage of this arrangement is that it is not possible for a “hacker” to intercept a packet and generate identical packets at a later time capable of being authenticated. Thus, for example, in an alarm system, it is not possible for a hacker to intercept and store a packet, and at later time, generate that packet again and again thus triggering multiple alarms. In an alarm system, such a weakness would enable a hacker to generate false alarms and cause an owner to deactivate his alarm system on account of an apparent fault.
- the added feature gives the security that if a packet is intercepted and reproduced, it can be authenticated for only a brief period of time. After this time, it is not possible to modify the packet to generate another self-authenticating packet without knowledge of the authentication information 32 (or the secret key).
- the user device 10 is arranged to generate authentication information unique to the user device and provide a data packet including the authentication information and time dependent information 202 .
- the time dependent information can be generated locally at the device 10 from a real-time clock 202 or it can be generated relative to a synchronization message received from the RNG 14 , or indeed it can consist solely of a time-varying synchronization message broadcast by the RNG 14 to all user devices (which could simply be a time stamp or a pseudorandom number).
- the infrastructure part ( 14 or 16 ) is arranged to generate corresponding authentication information and time dependent information and to combine the authentication information from the user device with the corresponding authentication information and with the time dependent information (e.g. by a simple match operation), to identify a correspondence therebetween and to thereby authenticate a packet.
- the packet may establish a time-limited session between the user device and host device.
- the device configurator 22 is disconnected from the device 200 after the authentication information 32 has been generated.
- the host secret key can be programmed into the device 200 itself (preferably in some manner whereby it is not easily readable).
- the feature of the time dependent information 202 adds a degree of security to such an arrangement, making it more difficult to derive the host secret key from information generated by the second authentication algorithm. If the host secret key is included in the device 200 , the first and second authentication algorithms can be combined into one algorithm into which is fed the host identifier 26 , the host secret key 28 , the device ID 30 , the time from the real-time clock 202 and the date from the date generator 204 .
Abstract
A communication system in which a user device (10) generates authentication information (32) unique to the user device and provides a data packet (35) including this authentication information to an infrastructure part which is a gateway (14) or a host (16). The packet also contains a host identifier (36) or time dependent information (202). This is used at the gateway (14) or the host (16) to authenticate the packet.
Description
This invention relates to communication systems in which data packets are communicated between a user device and an infrastructure part including a host. The invention relates to authentication of communications in such a system, and particularly relates to self-authenticating data packets.
Most existing “for-fee” public communication networks, such as Motorola's DataTAC™ data radio systems or even cellular phone systems, include a “Home Location Register” commonly referred to as an HLR, which is a database of the network's subscribers. The network operator must create a record in this database for each subscriber. Subscribers are usually identified by a unique ID number. When a subscriber desires services from the network, he (actually his device) must register onto the network, supplying the ID number and possibly some additional authentication information, such as a password or historical information relating to the subscriber. This information is checked (i.e. authenticated) by the network against the subscriber's record in the HLR. All subsequent services are then billed to the identified subscriber. This mechanism works well for subscribers that use enough services for it to be worthwhile to bill them. For some applications however, such as residential alarm systems and others, this is not the case. The number of “subscribers” is very large and it is expensive to add them to the HLR database and also increases the database size slowing access for all subscribers.
Another authentication arrangement based on a register of identified subscribers can be found in U.S. Pat. No. 4, 896,319 “Identification and Authentication of End User Systems for Packet Communications Network Services”. Other public/private key approaches for authenticating IP packets, such as is described in U.S. Pat. No. 5,511,122 “Intermediate Network Authentication” require a database of the sender's public keys. This suffers from the same disadvantages as the HLR method described above.
Existing “free” communication systems (such as the Internet) often have no authentication mechanisms at all, because it is not necessary to bill anyone. Gaining access to the Internet via an “Internet Service Provider”, or ISP, is very similar to the “for-fee” HLR mechanism described above. Each ISP has a database of their subscribers who usually use a password to authenticate their access to the ISPs services.
There is a need for an improved method of authentication in a data or radio data network, preferably one in which the infrastructure does not require an extensive list of all users seeking authentication.
Preferred embodiments of the present invention are now described, by way of example only, with reference to the drawings.
FIG. 1 shows a data network using self-authenticating data packets in accordance with the present invention.
FIG. 2 illustrates a self-authenticating data packet as generated in the system of FIG. 1.
FIG. 3 illustrates operation of the authentication process in FIG. 1.
FIG. 4 illustrates an alternative arrangement for generating a self-authenticating packet in accordance with the invention.
Referring to FIG. 1, a data network is shown, which in the preferred embodiment is a radio data network such as a DataTAC™ data radio system. The system comprises an end user device 10, which may be mobile, but in the preferred embodiment is a fixed device, such as an alarm monitor or a water, gas or parking meter. The system comprises a radio data network 12, such as the ARDIS™ radio data network and it comprises a situation or radio network gateway (RNG) 14 connected to a host 16. The host 16 may, for example, be an alarm monitoring station, or a water or gas meter reading center or a parking meter reading center or other telemetry system host. One other host 18 is shown. There may be many hosts connected to the gateway 14. Connectable via a port 20 of the device 10 is a device configurator 22.
In greater detail, the device configurator 22 is a general propose computer or handheld dedicated configurator device having an authentication algorithm 24 and having stored in the device a host identifier 26 identifying the application host 16, a host secret key 28 known only to the operator of the host 16 and the radio network gateway 14 and securely programmed into the device configurator 22, and a device ID 30. The device ID 30 is preferably a link layer identifier which can be entered into the device configurator 22 and identifies the device 10.
The radio network gateway 14 comprises a host information table 40 which correlates host identifiers for the hosts 16, 18, etc. with host secret keys and (optionally) session IDs. The RNG also includes an authentication algorithm 42 which corresponds to the authentication algorithm 24 in a manner that is described in greater detail below. The RNG also comprises a self-authenticating packet receiver 44, a deliver routine, function or element 46, a data packet reformatter 48, billing software 49 (optional) and a registration database 50 (optional).
The operation of the system is as follows. On commissioning of the device 10, the device configurator 22 is connected to the device port and the device ID 30 is entered into the device configurator 22. From the host identifier 26, the host secret key 28 and the device ID 30, the authentication algorithm 24 generates authentication information 32. The exact nature of the authentication algorithm 24 is of no significance and many algorithms are available to those skilled in the art. An example is the DataTAC symmetric key algorithm (defined as part of the RD-LAP protocol suite), which is similar to RC4, the latter being an algorithm well-known in the industry. The algorithm 24 is such that the key 28 is substantially not recoverable from the authentication information 32 but that the authentication information 32 can only be generated from the host identifier 26 and the device ID 30 if the unique secret key 28 is available. (With sufficient processing power and available time with sufficient data the key 28 is recoverable from the authentication information 32, but for practical purposes it is not recoverable.)
In the device 10, a data packet formatter 34 (which is a format data packet process in a processor) formats a self-authenticating packet 35 using the authentication information 32, together with control information 33 (which preferably includes the device ID 30) and a host identifier 36 (which is identical to the host identifier 26). These information items are formatted together using the packet data formatter 34 with user data 38 into the self-authenticating packet 35. Such a self-authenticating packet is illustrated in FIG. 2.
As shown in FIG. 2, a packet 100 comprises a packet header 101, which simply indicates that the packet is generated in accordance with a self-authenticating packet specification (but is not necessarily a self-authenticating packet). A packet sub-type 102 is provided, after the header 101, optionally indicating that the packet is in fact a self-authenticating packet. A deregistration delay 104 is inserted, capable setting a deregistration time of between 0 and 255 seconds. Following this is an identifier indicating the authentication algorithm to be used for authenticating the packet. Thus, there may be a number of different authentication algorithms. Authentication algorithm field 106 identifies which of a number of algorithms is to be used. The field is set to “one” for DataTAC symmetric key algorithm. Following the authentication algorithm field 106, there is an optional field 108 reserved for future use, and following this field is a destination host ID field 110. This contains the host identifier 36. Following the destination host ID field is an authentication information field 112 which contains the authentication information 32. Following this field is another field 114 reserved for future use and finally there is a user data payload 120, which contains the user data 38.
Referring again to FIG. 1, the self-authenticating packet 35 is transmitted over the radio data network 12 to the RNG 14 and is received at the self-authenticating packet receiver 44. After the RNG 14, the host identifier information 36 is extracted from the packet and is used to look up the correct host secret key 28 for the identified host in host information table 40. Optionally, a session ID is extracted from the table 40 if there is already a session in progress. If there is no session in progress, a session ID is allocated.
From the identified host secret key in the host information table 40 and from the host identifier 110 and the device ID part of the packet header 101, the authentication algorithm 42 is able to independently generate authentication information corresponding to the authentication information 32 contained in field 112 of the packet 100. The RNG is able to compare or correlate the independently generated authentication information with the received authentication information to authenticate the packet. In the simplest form, if there is a match, the packet is authenticated and if there is no match, the packet is discarded into a trash file 45. The authentication process 42 may be some process other than a simple comparison. If the packet is successfully authenticated, it is reformatted in reformatter 48 and delivered in delivery element 46 to the application host 16.
The process of authenticating the packet in algorithm 42 in RNG 14 is illustrated in greater detail in FIG. 3. The process starts upon reception of a self-authenticating packet at step 302. In step 304, the destination host ID is extracted from the packet and a look-up operation into host information table 40 is performed to look up the host's secret password. In step 306, the correct authentication information is computed from the link layer identifier (from the packet) and the secret password extracted from host information table 40. If, in step 308, the correct authentication information matches the authentication information in the data packet, the packet is delivered at step 310 to the destination host. Otherwise, the packet is discarded in step 312. After steps 310 and 312, the process is completed and stops at step 314.
Upon authentication of the packet and delivery of the packet to the host 16, a session is established between the device 10 and the host 16. In this manner, the authentication of the packet acts to establish automatic registration of the device 10 to the host 16. This feature of registration and sending of data within a single packet is a very useful innovation and improvement over prior arrangements. A single packet can perform the functions of registration and communication of data. The switch or gateway 14 is tied up for the minimum amount of time necessary for the performance of registration and communication of data. Moreover, a further advantageous feature is the provision of an automatic deregistration after a timeout. This feature is achieved by use of a timer 55 in the gateway 14 and, optionally, the deregistration delay 104 of the packet 100.
Upon authentication of the packet in algorithm 42, the registration database 50 is updated by allocation of a session identifier to the particular device identifier by its link layer identifier. This session identifier is used for all further communications between the device 10 and the host 16, either in the device-to-host direction or the host-to-device direction. The session identifier is valid for a limited period of time defined by the timer 55.
In this manner, the application host 16 can immediately reply to the incoming data packet. Typical replies from the host 16 include: (a) an acknowledgment; and (b) unsolicited update information for the device 10. Similarly, if the device 10 has further packet of data to send, either because the first self-authenticating packet had insufficient space in its payload 120 to provide all the data to the host, or because a message from the host generates a need for further messages from the device 10, these subsequent packets from the device 10 can be generated within the same session, using the same session identifier and without the need for each subsequent packet to include all the header information necessary for authentication and registration. This leads to greater efficiency. After a timeout defined by timer 55, the session ID is no longer valid and re-registration by the device 10 is necessary.
The timer can be set to 0. In such an instance, the session ends as soon as the first self-authenticating packet is delivered to the host. Preferably, however, the timer 55 defines a period sufficient for two or three packets to be transferred between the device 10 and the host 16 before re-registration is necessary. The device 10 has a similar timer to indicate when it is necessary to generate another self-authenticating packet to perform re-registration. Alternatively, the timer 55 can be reset to the deregistration delay 104 by each packet sent to or from the device 10. Again, both the device 10 and the RNG 14 must agree on the timeout method (via a protocol) and must use the same method.
Thus, there has been described a communication system comprising a user device 10 and an infrastructure part 14 and 16 which together include a host 16. The user device is arranged to generate authentication information 32 unique to the user device and provide a data packet 35 including the authentication information and a host identifier 36. The infrastructure part (which can be the gateway 14 or the host 16) is arranged to generate corresponding authentication information using at least the host identifier from the data packet and combining the authentication information from the user device with the corresponding authentication information to identify a correspondence there between and to thereby authenticate the packet.
Note that the authentication process can take place in the host 16. This would not be the most efficient arrangement in a system having many hosts but can be more efficient in a highly dedicated system having only one host or having only a small number of hosts.
An advantage of performing authentication in the gateway 14 is a matter of billing. The host 16 is billed for each successfully authenticated packet. Thus, in the preferred embodiment, billing software 49 in the RNG 14 generates a billing item for host 16 each time a packet for that host is authenticated and generates a billing item for host 18 each time a packet for that host is authenticated. This has the advantage that the host is not billed for packets that are delivered to the host erroneously or packets that are delivered to the host which are not capable of being authenticated.
If authentication takes place at the host 16, the gateway 14 delivers all packets having a host identifier 36 matching the identifier of the host 16 and in such an arrangement is most convenient to bill the host 16 for all packets delivered, regardless of whether they are later authenticated.
An arrangement has also been described in which the user device 10 has arranged to generate authentication information unique to the user device and to provide a data packet including the authentication information, wherein the infrastructure part (14 or 16) is arranged to generate corresponding authentication information and to combine the authentication information from the user device with the corresponding authentication information to identify a correspondence therebetween, and to thereby authenticate the packet and establish a time-limited session between the user device and the host device.
A further embodiment of the invention is described with reference to FIG. 4, which shows a modified user device 200 coupled to the device configurator 22. The modified user device receives authentication information 32, as before, and includes control information 33 and host identifier 36, as before. The modified user device 200 additionally has a real time clock 202 and a date generator 204. These elements feed into a second authentication algorithm 210. The second authentication algorithm 210 generates second authentication information at output 212 and this second authentication information is formatted into a data packet together with user data 38. A self-authenticating packet is generated in packet generator 213 for sending over the network as before. The radio network gateway has a similar real time clock and date generator and a similar second authentication algorithm for replicating the generation of the information.
The operation of this embodiment is as follows. In generating th self-authenticating packet, the second authentication algorithm 210 takes into account the current actual time and date. The time and date are not recoverable from the resultant authentication information 212, but the resultant authentication information 212 is not able to be generated without these elements. Thus, the resultant self-authenticating packet is valid for only a particular time and date. The validity preferably extends over a period of time, where the period is sufficiently long in duration to encompass expected delays in the system. Thus, when the packet is received at the radio network gateway 14, it is not invalid by virtue of lapse of time through mere propagation through the radio data network 12. All authentication information results for clock times in the allowed range are compared with the received authentication information.
An advantage of this arrangement is that it is not possible for a “hacker” to intercept a packet and generate identical packets at a later time capable of being authenticated. Thus, for example, in an alarm system, it is not possible for a hacker to intercept and store a packet, and at later time, generate that packet again and again thus triggering multiple alarms. In an alarm system, such a weakness would enable a hacker to generate false alarms and cause an owner to deactivate his alarm system on account of an apparent fault.
The added feature gives the security that if a packet is intercepted and reproduced, it can be authenticated for only a brief period of time. After this time, it is not possible to modify the packet to generate another self-authenticating packet without knowledge of the authentication information 32 (or the secret key).
Thus, a communication system has been described in which the user device 10 is arranged to generate authentication information unique to the user device and provide a data packet including the authentication information and time dependent information 202. The time dependent information can be generated locally at the device 10 from a real-time clock 202 or it can be generated relative to a synchronization message received from the RNG 14, or indeed it can consist solely of a time-varying synchronization message broadcast by the RNG 14 to all user devices (which could simply be a time stamp or a pseudorandom number). The infrastructure part (14 or 16) is arranged to generate corresponding authentication information and time dependent information and to combine the authentication information from the user device with the corresponding authentication information and with the time dependent information (e.g. by a simple match operation), to identify a correspondence therebetween and to thereby authenticate a packet.
As before, the packet may establish a time-limited session between the user device and host device.
It has been described that it is preferable that the device configurator 22 is disconnected from the device 200 after the authentication information 32 has been generated. This is not essential. The host secret key can be programmed into the device 200 itself (preferably in some manner whereby it is not easily readable). The feature of the time dependent information 202 adds a degree of security to such an arrangement, making it more difficult to derive the host secret key from information generated by the second authentication algorithm. If the host secret key is included in the device 200, the first and second authentication algorithms can be combined into one algorithm into which is fed the host identifier 26, the host secret key 28, the device ID 30, the time from the real-time clock 202 and the date from the date generator 204.
Other modifications of detail can be made by one skilled in the art without departing from the spirit and scope of the invention.
Claims (32)
1. A communications system comprising a user device and an infrastructure part including a host,
the user device being arranged to;
generate authentication information unique to the user device, wherein the authentication information is derived from a key that is uniquely derived from a host identifier that identifies the host, and wherein the key is substantially not reversibly ascertainable from the authentication information;
generate a data packet including the authentication information and the host identifier; and
send the data packet to the infrastructure part; and the infrastructure part being arranged to;
generate corresponding authentication information, using at least the host identifier from the data packet; and
combine the authentication information from the user device with the corresponding authentication information to identify a correspondence therebetween and to thereby authenticate the data packet.
2. The communications system of claim 1, further comprising a gateway coupled to a radio network, for radio communication with the user device, wherein the host is coupled to the gateway and wherein the infrastructure part is the gateway.
3. The communications system of claim 2, wherein the gateway comprises billing software arranged to bill the host for each successfully authenticated data packet.
4. The communications system of claim 1, further comprising a gateway coupled to a radio network, for radio communication with the user device wherein the host is coupled to the gateway and wherein the infrastructure part is the host.
5. The communications system of claim 4, wherein the gateway is arranged to forward to the host all packets having a host identifier uniquely identifying the host, without prior authentication.
6. A communications system comprising a user device and an infrastructure part including a host,
the user device being arranged to:
generate authentication information unique to the user device, wherein the authentication information is derived from a key that is substantially not reversibly ascertainable from the authentication information;
generate a first data packet including the authentication information;
send the first data packet to the infrastructure part;
start a timer which sets a time-out; and
send at least a second data packet within the time-out time as part of a session that is common to the first and second data packets; and
the infrastructure part being arranged to:
generate corresponding authentication information; and
combine the authentication information from the user device with the corresponding authentication information to identify a correspondence therebetween and to thereby authenticate the data packet and establish a time-limit session between the user device and the host.
7. The communications system of claim 6, further comprising a gateway coupled to a radio network, for radio communication with the user device, wherein the host is coupled to the gateway and wherein the infrastructure part is the gateway.
8. The communications system of claim 7, wherein the gateway comprises billing software arranged to bill the host for each successfully authenticated data packet.
9. The communications system of claim 6, further comprising a gateway coupled to a radio network, for radio communication with the user device wherein the host is coupled to the gateway and wherein the infrastructure part is the host.
10. The communications system of claim 9, wherein the gateway is arranged to forward to the host all packets having a host identifier uniquely identifying the host, without prior authentication.
11. A communications system comprising a user device and an infrastructure part including a host,
the user device being arranged to:
generate authentication information unique to the user device, wherein the authentication information is derived from a key and time dependent information, and wherein the key and the time dependent information are substantially not reversibly ascertainable from the authentication information;
generate a data packet including the authentication information; and
send the data packet to the infrastructure part; and the infrastructure part being arranged to:
generate corresponding authentication information and time dependent information; and
combine the authentication information from the user device with the corresponding authentication information and time dependent information to identify a correspondence therebetween and to thereby authenticate the packet.
12. The communications system of claim 11, further comprising a gateway coupled to a radio network, for radio communication with the user device, wherein the host is coupled to the gateway and wherein the infrastructure part is the gateway.
13. The communications system of claim 12 wherein the time dependent information comprises a time-varying synchronization message broadcast from the gateway.
14. The communications system of claim 12, wherein the gateway comprises billing software arranged to bill the host for each successfully authenticated data packet.
15. The communications system of claim 11, further comprising a gateway coupled to a radio network, for radio communication with the user device wherein the host is coupled to the gateway and wherein the infrastructure part is the host.
16. The communications system of claim 15, wherein the gateway is arranged to forward to the host all packets having a host identifier uniquely identifying the host, without prior authentication.
17. A method of communicating in a communications system comprising a user device and an infrastructure part including a host, the method comprising:
generating, at the user device, authentication information unique to the user device, wherein the authentication information is derived from a key that is uniquely derived from a host identifier that identifies the host, and wherein the key is substantially not reversibly ascertainable from the authentication information;
generating a data packet including the authentication information and the host identifier;
sending the data packet to the infrastructure part;
generating, at the infrastructure part, corresponding authentication information, using at least the host identifier from the data packet; and
combining, at the infrastructure part, the authentication information from the user device with the corresponding authentication information to identify a correspondence therebetween and to thereby authenticate the data packet.
18. The method of claim 17, wherein authentication of the data packet causes a session to be established between the user device and the infrastructure part.
19. The method of claim 18, wherein a session identifier is entered into a database in the infrastructure part, identifying the session and correlating it with a device identifier uniquely identifying the user device.
20. The method of claim 19, wherein the session identifier is included in further packets within the session exchanged between the infrastructure part and the user device.
21. The method of claim 18, wherein the session ends after a set time-out.
22. A method of communicating in a communications system comprising a user device and an infrastructure part, the method comprising:
generating, at the user device, authentication information unique to the user device, wherein the authentication information is derived from a key that is substantially not reversibly ascertainable from the authentication information;
generating a first data packet including the authentication information;
sending the first data packet to the infrastructure part;
starting a timer which sets a time-out time;
sending at least a second data packet within the time-out time as part of a session that is common to the first and second data packets;
generating, at the infrastructure part, corresponding authentication information; and
combining the authentication information from the user device with the corresponding authentication information to identify a correspondence therebetween and to thereby authenticate the packet and establish a time-limited session between the user device and the host device.
23. The method of claim 22, wherein the second data packet does not include authentication information.
24. The method of claim 22 further comprising restarting the timer on receipt of the second data packet within the time-out time.
25. The method of claim 22, wherein a session identifier is entered into a database in the infrastructure part, identifying the session and correlating it with a device identifier uniquely identifying the user device.
26. The method of claim 25, wherein the session identifier is included in further packets within the session exchanged between the infrastructure part and the user device.
27. A method of communicating in a communications system comprising a user device and an infrastructure part including a host, the method comprising:
generating, at the user device, authentication information unique to the user device, wherein the authentication information is derived from a key and time dependent information, and wherein the key and the time dependent information are substantially not reversibly ascertainable from the authentication information;
generating a data packet including the authentication information;
sending the data packet to the infrastructure part
generating, at the infrastructure part, corresponding authentication information and time dependent information; and
combining the authentication information from the user device with the corresponding authentication information and time dependent information to identify a correspondence therebetween and to thereby authenticate the data packet.
28. The method of claim 27, wherein authentication of the data packet causes a session to be established between the user device and the infrastructure part.
29. The method of claim 28, wherein a session identifier is entered into a database in the infrastructure part, identifying the session and correlating it with a device identifier uniquely identifying the user device.
30. The method of claim 29, wherein the session identifier is included in further packets within the session exchanged between the infrastructure part and the user device.
31. The method of claim 29, wherein the session ends after a set timeout.
32. The method of claim 27, wherein the time dependent information comprises a time-varying synchronization message broadcast from the infrastructure part to the user device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US09/000,645 US6229806B1 (en) | 1997-12-30 | 1997-12-30 | Authentication in a packet data system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US09/000,645 US6229806B1 (en) | 1997-12-30 | 1997-12-30 | Authentication in a packet data system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| US6229806B1 true US6229806B1 (en) | 2001-05-08 |
Family
ID=21692415
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US09/000,645 Expired - Lifetime US6229806B1 (en) | 1997-12-30 | 1997-12-30 | Authentication in a packet data system |
Country Status (1)
| Country | Link |
|---|---|
| US (1) | US6229806B1 (en) |
Cited By (37)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020152380A1 (en) * | 2001-04-12 | 2002-10-17 | Microsoft Corporation | Methods and systems for unilateral authentication of messages |
| US20030105872A1 (en) * | 2001-12-01 | 2003-06-05 | Samsung Electronics Co., Ltd. | Data interfacing method and apparatus |
| US6618584B1 (en) * | 2000-08-30 | 2003-09-09 | Telefonaktiebolaget Lm Ericsson (Publ) | Terminal authentication procedure timing for data calls |
| US20030204728A1 (en) * | 2002-04-30 | 2003-10-30 | Tippingpoint Technologies, Inc. | Steganographically authenticated packet traffic |
| US20030221016A1 (en) * | 2002-02-13 | 2003-11-27 | Jarkko Jouppi | Transmission of packet data to a wireless terminal |
| US6658565B1 (en) * | 1998-06-01 | 2003-12-02 | Sun Microsystems, Inc. | Distributed filtering and monitoring system for a computer internetwork |
| US6678270B1 (en) * | 1999-03-12 | 2004-01-13 | Sandstorm Enterprises, Inc. | Packet interception system including arrangement facilitating authentication of intercepted packets |
| US20040010683A1 (en) * | 2002-07-12 | 2004-01-15 | Microsoft Corporation | Method and system for authenticating messages |
| US20040043756A1 (en) * | 2002-09-03 | 2004-03-04 | Tao Haukka | Method and system for authentication in IP multimedia core network system (IMS) |
| WO2004043006A1 (en) * | 2002-11-06 | 2004-05-21 | China Iwncomm Co., Ltd | A method for the access of the mobile terminal to the wlan and for the data communication via the wireless link securely |
| US20040259529A1 (en) * | 2003-02-03 | 2004-12-23 | Sony Corporation | Wireless adhoc communication system, terminal, authentication method for use in terminal, encryption method, terminal management method, and program for enabling terminal to perform those methods |
| GB2406925A (en) * | 2003-10-09 | 2005-04-13 | Vodafone Plc | Authentication system using a transaction manager and authentication means registrable with a common system |
| US20050111457A1 (en) * | 2003-11-25 | 2005-05-26 | Krishna Kumar | Apparatus, and associated method, for facilitating formation of multiple mobile IP data sessions at a mobile node |
| US20050123141A1 (en) * | 2003-02-03 | 2005-06-09 | Hideyuki Suzuki | Broadcast encryption key distribution system |
| US20060005013A1 (en) * | 2004-06-30 | 2006-01-05 | Microsoft Corporation | Call signs |
| US20060020807A1 (en) * | 2003-03-27 | 2006-01-26 | Microsoft Corporation | Non-cryptographic addressing |
| US20060028996A1 (en) * | 2004-08-09 | 2006-02-09 | Huegen Craig A | Arrangement for tracking IP address usage based on authenticated link identifier |
| US20060098656A1 (en) * | 2004-11-10 | 2006-05-11 | Alcatel | Access multiplexer system for performing a stateless auto-configuration process |
| US20060107037A1 (en) * | 2002-10-17 | 2006-05-18 | Lincoln Adrian D | Facilitating and authenticating transactions |
| US20070050621A1 (en) * | 2005-08-30 | 2007-03-01 | Kevin Young | Method for prohibiting an unauthorized component from functioning with a host device |
| US20070124341A1 (en) * | 2003-02-10 | 2007-05-31 | Lango Jason A | System and method for restoring data on demand for instant volume restoration |
| US20070250552A1 (en) * | 2005-04-25 | 2007-10-25 | Lango Jason A | System and method for caching network file systems |
| US20070250551A1 (en) * | 2005-04-25 | 2007-10-25 | Lango Jason A | Architecture for supporting sparse volumes |
| US20070250700A1 (en) * | 2006-04-21 | 2007-10-25 | Microsoft Corporation | Peer-to-peer contact exchange |
| CN100359845C (en) * | 2004-03-26 | 2008-01-02 | 中兴通讯股份有限公司 | Self arranged net mode shared key authentication and conversation key consulant method of radio LAN |
| CN100373843C (en) * | 2004-03-23 | 2008-03-05 | 中兴通讯股份有限公司 | Key consaltation method in radio LAN |
| US7409544B2 (en) | 2003-03-27 | 2008-08-05 | Microsoft Corporation | Methods and systems for authenticating messages |
| US7610487B2 (en) | 2003-03-27 | 2009-10-27 | Microsoft Corporation | Human input security codes |
| US7624264B2 (en) | 2003-03-27 | 2009-11-24 | Microsoft Corporation | Using time to determine a hash extension |
| US20100154037A1 (en) * | 2008-12-15 | 2010-06-17 | Jason Allen Sabin | Techniques for network process identity enablement |
| USRE42212E1 (en) | 2001-03-14 | 2011-03-08 | Hoffman Terry G | Protection system and method |
| CN101232736B (en) * | 2008-02-22 | 2012-02-29 | 中兴通讯股份有限公司 | Method for setting initialization of cryptographic key existence counter among different access systems |
| CN101267670B (en) * | 2008-04-15 | 2012-09-05 | 中兴通讯股份有限公司 | An initialization setup method for secret key survival counter between different access systems |
| WO2012172267A1 (en) * | 2011-06-17 | 2012-12-20 | France Telecom | Method of processing a data packet on transmission, method of processing a data packet on reception, device and node equipment associated therewith |
| US20140041012A1 (en) * | 2012-07-31 | 2014-02-06 | Telekom Malaysia Berhad | System for the management of access points |
| US8683572B1 (en) * | 2008-01-24 | 2014-03-25 | Dunti Llc | Method and apparatus for providing continuous user verification in a packet-based network |
| US20140129834A1 (en) * | 2012-11-02 | 2014-05-08 | Jacob Andrew Brill | Providing User Authentication |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6108583A (en) * | 1997-10-28 | 2000-08-22 | Georgia Tech Research Corporation | Adaptive data security system and method |
-
1997
- 1997-12-30 US US09/000,645 patent/US6229806B1/en not_active Expired - Lifetime
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6108583A (en) * | 1997-10-28 | 2000-08-22 | Georgia Tech Research Corporation | Adaptive data security system and method |
Cited By (78)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6658565B1 (en) * | 1998-06-01 | 2003-12-02 | Sun Microsystems, Inc. | Distributed filtering and monitoring system for a computer internetwork |
| US6678270B1 (en) * | 1999-03-12 | 2004-01-13 | Sandstorm Enterprises, Inc. | Packet interception system including arrangement facilitating authentication of intercepted packets |
| US6618584B1 (en) * | 2000-08-30 | 2003-09-09 | Telefonaktiebolaget Lm Ericsson (Publ) | Terminal authentication procedure timing for data calls |
| USRE42212E1 (en) | 2001-03-14 | 2011-03-08 | Hoffman Terry G | Protection system and method |
| US8473744B2 (en) * | 2001-04-12 | 2013-06-25 | Microsoft Corporation | Methods and systems for unilateral authentication of messages |
| US20020152384A1 (en) * | 2001-04-12 | 2002-10-17 | Microsoft Corporation | Methods and systems for unilateral authentication of messages |
| US7203837B2 (en) * | 2001-04-12 | 2007-04-10 | Microsoft Corporation | Methods and systems for unilateral authentication of messages |
| US20020152380A1 (en) * | 2001-04-12 | 2002-10-17 | Microsoft Corporation | Methods and systems for unilateral authentication of messages |
| US7134019B2 (en) * | 2001-04-12 | 2006-11-07 | Microsoft Corporation | Methods and systems for unilateral authentication of messages |
| US20030105872A1 (en) * | 2001-12-01 | 2003-06-05 | Samsung Electronics Co., Ltd. | Data interfacing method and apparatus |
| US20030221016A1 (en) * | 2002-02-13 | 2003-11-27 | Jarkko Jouppi | Transmission of packet data to a wireless terminal |
| US8271686B2 (en) * | 2002-02-13 | 2012-09-18 | Intellectual Ventures I Llc | Transmission of packet data to a wireless terminal |
| US7590855B2 (en) * | 2002-04-30 | 2009-09-15 | Tippingpoint Technologies, Inc. | Steganographically authenticated packet traffic |
| US20030204728A1 (en) * | 2002-04-30 | 2003-10-30 | Tippingpoint Technologies, Inc. | Steganographically authenticated packet traffic |
| US20040010683A1 (en) * | 2002-07-12 | 2004-01-15 | Microsoft Corporation | Method and system for authenticating messages |
| US20040043756A1 (en) * | 2002-09-03 | 2004-03-04 | Tao Haukka | Method and system for authentication in IP multimedia core network system (IMS) |
| US20110083171A1 (en) * | 2002-10-17 | 2011-04-07 | Adrian David Lincoln | Method and apparatus in combination with a storage means for carrying out an authentication process for authenticating a subsequent transaction |
| US20070226805A1 (en) * | 2002-10-17 | 2007-09-27 | David Jeal | Facilitating And Authenticating Transactions |
| US20060107037A1 (en) * | 2002-10-17 | 2006-05-18 | Lincoln Adrian D | Facilitating and authenticating transactions |
| US20060112275A1 (en) * | 2002-10-17 | 2006-05-25 | David Jeal | Facilitating and authenticating transactions |
| US8677467B2 (en) * | 2002-10-17 | 2014-03-18 | Vodafone Group Plc | Method and apparatus in combination with a storage means for carrying out an authentication process for authenticating a subsequent transaction |
| US8825928B2 (en) | 2002-10-17 | 2014-09-02 | Vodafone Group Plc | Facilitating and authenticating transactions through the use of a dongle interfacing a security card and a data processing apparatus |
| WO2004043006A1 (en) * | 2002-11-06 | 2004-05-21 | China Iwncomm Co., Ltd | A method for the access of the mobile terminal to the wlan and for the data communication via the wireless link securely |
| US20060143458A1 (en) * | 2002-11-06 | 2006-06-29 | Manxia Tie | Method for the access of the mobile terminal to the wlan and for the data communication via the wireless link securely |
| KR100832893B1 (en) | 2002-11-06 | 2008-05-28 | 차이나 아이더블유엔콤 씨오., 엘티디 | A method for the access of the mobile terminal to the WLAN and for the data communication via the wireless link securely |
| US8726022B2 (en) | 2002-11-06 | 2014-05-13 | China Iwncomm Co., Ltd | Method for the access of the mobile terminal to the WLAN and for the data communication via the wireless link securely |
| US7499443B2 (en) | 2003-02-03 | 2009-03-03 | Sony Corporation | Wireless adhoc communication system, terminal, authentication method for use in terminal, encryption method, terminal management method, and program for enabling terminal to perform those methods |
| US20050123141A1 (en) * | 2003-02-03 | 2005-06-09 | Hideyuki Suzuki | Broadcast encryption key distribution system |
| US20040259529A1 (en) * | 2003-02-03 | 2004-12-23 | Sony Corporation | Wireless adhoc communication system, terminal, authentication method for use in terminal, encryption method, terminal management method, and program for enabling terminal to perform those methods |
| US7292842B2 (en) * | 2003-02-03 | 2007-11-06 | Sony Corporation | Wireless adhoc communication system, terminal, authentication method for use in terminal, encryption method, terminal management method, and program for enabling terminal to perform those methods |
| US8094822B2 (en) * | 2003-02-03 | 2012-01-10 | Sony Corporation | Broadcast encryption key distribution system |
| US20100325377A1 (en) * | 2003-02-10 | 2010-12-23 | Jason Ansel Lango | System and method for restoring data on demand for instant volume restoration |
| US20070124341A1 (en) * | 2003-02-10 | 2007-05-31 | Lango Jason A | System and method for restoring data on demand for instant volume restoration |
| US7809693B2 (en) | 2003-02-10 | 2010-10-05 | Netapp, Inc. | System and method for restoring data on demand for instant volume restoration |
| US8261062B2 (en) | 2003-03-27 | 2012-09-04 | Microsoft Corporation | Non-cryptographic addressing |
| US7624264B2 (en) | 2003-03-27 | 2009-11-24 | Microsoft Corporation | Using time to determine a hash extension |
| US20060020807A1 (en) * | 2003-03-27 | 2006-01-26 | Microsoft Corporation | Non-cryptographic addressing |
| US7409544B2 (en) | 2003-03-27 | 2008-08-05 | Microsoft Corporation | Methods and systems for authenticating messages |
| US7610487B2 (en) | 2003-03-27 | 2009-10-27 | Microsoft Corporation | Human input security codes |
| GB2406925A (en) * | 2003-10-09 | 2005-04-13 | Vodafone Plc | Authentication system using a transaction manager and authentication means registrable with a common system |
| GB2406925B (en) * | 2003-10-09 | 2007-01-03 | Vodafone Plc | Facilitating and authenticating transactions |
| US20070143828A1 (en) * | 2003-10-09 | 2007-06-21 | Vodafone Group Plc | Facilitating and authenticating transactions |
| US9485249B2 (en) | 2003-10-09 | 2016-11-01 | Vodafone Group Plc | User authentication in a mobile telecommunications system |
| US7292855B2 (en) * | 2003-11-25 | 2007-11-06 | Nokia Corporation | Apparatus, and associated method, for facilitating formation of multiple mobile IP data sessions at a mobile node |
| US20050111457A1 (en) * | 2003-11-25 | 2005-05-26 | Krishna Kumar | Apparatus, and associated method, for facilitating formation of multiple mobile IP data sessions at a mobile node |
| CN100373843C (en) * | 2004-03-23 | 2008-03-05 | 中兴通讯股份有限公司 | Key consaltation method in radio LAN |
| CN100359845C (en) * | 2004-03-26 | 2008-01-02 | 中兴通讯股份有限公司 | Self arranged net mode shared key authentication and conversation key consulant method of radio LAN |
| US20060005013A1 (en) * | 2004-06-30 | 2006-01-05 | Microsoft Corporation | Call signs |
| US7929689B2 (en) | 2004-06-30 | 2011-04-19 | Microsoft Corporation | Call signs |
| US20060028996A1 (en) * | 2004-08-09 | 2006-02-09 | Huegen Craig A | Arrangement for tracking IP address usage based on authenticated link identifier |
| US8068414B2 (en) * | 2004-08-09 | 2011-11-29 | Cisco Technology, Inc. | Arrangement for tracking IP address usage based on authenticated link identifier |
| US20060098656A1 (en) * | 2004-11-10 | 2006-05-11 | Alcatel | Access multiplexer system for performing a stateless auto-configuration process |
| US7911972B2 (en) * | 2004-11-10 | 2011-03-22 | Alcatel | Access multiplexer system for performing a stateless auto-configuration process |
| US8055702B2 (en) | 2005-04-25 | 2011-11-08 | Netapp, Inc. | System and method for caching network file systems |
| US20070250552A1 (en) * | 2005-04-25 | 2007-10-25 | Lango Jason A | System and method for caching network file systems |
| US9152600B2 (en) | 2005-04-25 | 2015-10-06 | Netapp, Inc. | System and method for caching network file systems |
| US20070250551A1 (en) * | 2005-04-25 | 2007-10-25 | Lango Jason A | Architecture for supporting sparse volumes |
| US8626866B1 (en) | 2005-04-25 | 2014-01-07 | Netapp, Inc. | System and method for caching network file systems |
| US7689609B2 (en) * | 2005-04-25 | 2010-03-30 | Netapp, Inc. | Architecture for supporting sparse volumes |
| US20070050621A1 (en) * | 2005-08-30 | 2007-03-01 | Kevin Young | Method for prohibiting an unauthorized component from functioning with a host device |
| US20070250700A1 (en) * | 2006-04-21 | 2007-10-25 | Microsoft Corporation | Peer-to-peer contact exchange |
| US8086842B2 (en) | 2006-04-21 | 2011-12-27 | Microsoft Corporation | Peer-to-peer contact exchange |
| US8683572B1 (en) * | 2008-01-24 | 2014-03-25 | Dunti Llc | Method and apparatus for providing continuous user verification in a packet-based network |
| CN101232736B (en) * | 2008-02-22 | 2012-02-29 | 中兴通讯股份有限公司 | Method for setting initialization of cryptographic key existence counter among different access systems |
| CN101267670B (en) * | 2008-04-15 | 2012-09-05 | 中兴通讯股份有限公司 | An initialization setup method for secret key survival counter between different access systems |
| US8813197B2 (en) | 2008-12-15 | 2014-08-19 | Novell, Inc. | Techniques for network process identity enablement |
| US20100154037A1 (en) * | 2008-12-15 | 2010-06-17 | Jason Allen Sabin | Techniques for network process identity enablement |
| US9882965B2 (en) | 2008-12-15 | 2018-01-30 | Micro Focus Software Inc. | Techniques for network process identity enablement |
| FR2976760A1 (en) * | 2011-06-17 | 2012-12-21 | France Telecom | METHOD FOR PROCESSING A TRANSMIT DATA PACKET, METHOD FOR PROCESSING A RECEIVE DATA PACKET, DEVICES, AND ASSOCIATED NODE DEVICES |
| US9247430B2 (en) | 2011-06-17 | 2016-01-26 | Orange | Method of processing a data packet on transmission, a method of processing a data packet on reception, and associated devices and nodes |
| WO2012172267A1 (en) * | 2011-06-17 | 2012-12-20 | France Telecom | Method of processing a data packet on transmission, method of processing a data packet on reception, device and node equipment associated therewith |
| US20140041012A1 (en) * | 2012-07-31 | 2014-02-06 | Telekom Malaysia Berhad | System for the management of access points |
| US20140129834A1 (en) * | 2012-11-02 | 2014-05-08 | Jacob Andrew Brill | Providing User Authentication |
| US9444624B2 (en) * | 2012-11-02 | 2016-09-13 | Facebook, Inc. | Providing user authentication |
| US20160352519A1 (en) * | 2012-11-02 | 2016-12-01 | Facebook, Inc. | Providing user authentication |
| US9819492B2 (en) * | 2012-11-02 | 2017-11-14 | Facebook, Inc. | Providing user authentication |
| US20180041340A1 (en) * | 2012-11-02 | 2018-02-08 | Facebook, Inc. | Providing user authentication |
| US10110384B2 (en) * | 2012-11-02 | 2018-10-23 | Facebook, Inc. | Providing user authentication |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6229806B1 (en) | Authentication in a packet data system | |
| EP1361694B1 (en) | Public key certification issuing apparatus | |
| EP1355447B1 (en) | Public key certification providing apparatus | |
| US6704789B1 (en) | SIM based authentication mechanism for DHCPv4/v6 messages | |
| US5822434A (en) | Scheme to allow two computers on a network to upgrade from a non-secured to a secured session | |
| JP3445986B1 (en) | Servers, devices and communication systems connected to the Internet | |
| CN111799867B (en) | Mutual trust authentication method and system between charging equipment and charging management platform | |
| CN101099320B (en) | Clock-based replay protection | |
| EP1683322B1 (en) | Shared secret usage for bootstrapping | |
| US6725276B1 (en) | Apparatus and method for authenticating messages transmitted across different multicast domains | |
| RU2011148636A (en) | METHOD AND SYSTEM FOR MANAGING A DATA TRANSFER NETWORK THROUGH A BODY AREA USING A COORDINATING DEVICE | |
| CN101197664A (en) | Method, system and device for key management protocol negotiation | |
| JP2001265729A (en) | Multicast system, authentication server terminal, multicast recipient terminal managing method and recording medium | |
| US20130074176A1 (en) | Confidential communication method using vpn, system thereof, program thereof, and recording medium for the program | |
| US20040024882A1 (en) | Enabling authorised-server initiated internet communication in the presence of network address translation (NAT) and firewalls | |
| CN101729568A (en) | Safety access system and method for guaranteeing source address authenticity by using token mechanism | |
| KR101485747B1 (en) | Method of configuring a node, related node and configuration server | |
| JPH11177582A (en) | Packet transfer method and base station used for the method | |
| CN117014887A (en) | Multi-factor verifiable low-power consumption Bluetooth equipment IPv6 address automatic configuration method and system | |
| JP2003283489A (en) | Packet authentication system, authentication method, group management server and group member device | |
| CA2632159A1 (en) | Method for securely associating data with http and https sessions | |
| CN100428667C (en) | Strong authentication method for digital signature mode using public key encrgption algorithm | |
| WO2004012413A1 (en) | Served initiated authorised communication in the presence of network address translator (nat) or firewalls | |
| JPH07107084A (en) | Cipher communication system | |
| He et al. | An asymmetric authentication protocol for M-Commerce applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| AS | Assignment |
Owner name: MOTOROLA, INC., ILLINOIS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LOCKHART, THOMAS WAYNE;SCOTTON, GEOFFREY RICHARD;REARDON, KARL ANTHONY;REEL/FRAME:008919/0763;SIGNING DATES FROM 19971210 TO 19971218 |
|
| STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
| FPAY | Fee payment |
Year of fee payment: 4 |
|
| FPAY | Fee payment |
Year of fee payment: 8 |
|
| AS | Assignment |
Owner name: MOTOROLA MOBILITY, INC, ILLINOIS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MOTOROLA, INC;REEL/FRAME:025673/0558 Effective date: 20100731 |
|
| AS | Assignment |
Owner name: MOTOROLA MOBILITY LLC, ILLINOIS Free format text: CHANGE OF NAME;ASSIGNOR:MOTOROLA MOBILITY, INC.;REEL/FRAME:029216/0282 Effective date: 20120622 |
|
| FPAY | Fee payment |
Year of fee payment: 12 |
|
| AS | Assignment |
Owner name: GOOGLE TECHNOLOGY HOLDINGS LLC, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MOTOROLA MOBILITY LLC;REEL/FRAME:034485/0449 Effective date: 20141028 |